Re: [rtcweb] More on authorization and endpoint authentication

Bernard Aboba <bernard_aboba@hotmail.com> Fri, 05 August 2011 00:13 UTC

Return-Path: <bernard_aboba@hotmail.com>
X-Original-To: rtcweb@ietfa.amsl.com
Delivered-To: rtcweb@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF2C911E8093 for <rtcweb@ietfa.amsl.com>; Thu, 4 Aug 2011 17:13:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.598
X-Spam-Level:
X-Spam-Status: No, score=-102.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YFyT-7I9LIsA for <rtcweb@ietfa.amsl.com>; Thu, 4 Aug 2011 17:13:35 -0700 (PDT)
Received: from blu0-omc2-s8.blu0.hotmail.com (blu0-omc2-s8.blu0.hotmail.com [65.55.111.83]) by ietfa.amsl.com (Postfix) with ESMTP id 0A48C11E808D for <rtcweb@ietf.org>; Thu, 4 Aug 2011 17:13:34 -0700 (PDT)
Received: from BLU152-W15 ([65.55.111.73]) by blu0-omc2-s8.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Thu, 4 Aug 2011 17:13:50 -0700
Message-ID: <BLU152-W15D1D8903A1053AA4D74B9933C0@phx.gbl>
Content-Type: multipart/alternative; boundary="_2d8ecdd4-a494-42e8-a252-079427e9c51b_"
X-Originating-IP: [131.107.0.118]
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: ekr@rtfm.com, rtcweb@ietf.org
Date: Thu, 04 Aug 2011 17:13:50 -0700
Importance: Normal
In-Reply-To: <CABcZeBM2hgNkBgvB=8uw_CKuQ+=F=TPBtJq16SyvQ=SKPNVY+A@mail.gmail.com>
References: <CABcZeBM2hgNkBgvB=8uw_CKuQ+=F=TPBtJq16SyvQ=SKPNVY+A@mail.gmail.com>
MIME-Version: 1.0
X-OriginalArrivalTime: 05 Aug 2011 00:13:50.0963 (UTC) FILETIME=[8DB9A430:01CC5304]
Subject: Re: [rtcweb] More on authorization and endpoint authentication
X-BeenThere: rtcweb@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Real-Time Communication in WEB-browsers working group list <rtcweb.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/rtcweb>
List-Post: <mailto:rtcweb@ietf.org>
List-Help: <mailto:rtcweb-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtcweb>, <mailto:rtcweb-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2011 00:13:36 -0000

Eric Rescorla said: 

>   P2: Allow anyone to place a call provided that it goes to
>   *@ford.com.
> 
> The browser evaluates this (in the simplest case) by connecting to
> ford.com's SIP server and verifying that it is indeed ford.com

These two statements are *not* equivalent.  The first statement relates to the To: field; 
the second relates to authentication of the identity of the server to which the browser connects.
These elements are orthogonal and should not be conflated. 

As an example, if a BOSH connection manager is configured to route stanzas to domains other than
its own, a browser can use a BOSH connection manager to send XMPP stanzas to any
XMPP user.   Authenticating the BOSH connection manager (e.g. via TLS) imposes no
restriction whatsoever on who can be "called" via Jingle using that BOSH connection manger.   
That restriction would only be implemented within the BOSH connection manager, *not* within the 
browser.